From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 32F4D929A0 for ; Mon, 8 Apr 2024 10:38:39 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 070396709 for ; Mon, 8 Apr 2024 10:38:09 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Mon, 8 Apr 2024 10:38:07 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 8DD6F44564 for ; Mon, 8 Apr 2024 10:38:07 +0200 (CEST) Message-ID: <7860d762-bd7f-43ce-9557-12bdbf3578b4@proxmox.com> Date: Mon, 8 Apr 2024 10:38:06 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: Thomas Lamprecht , Proxmox VE development discussion References: <20240130171057.438025-1-f.weber@proxmox.com> <20240130171057.438025-2-f.weber@proxmox.com> <3106df5e-8b31-41f2-b66a-70c433faa4c1@proxmox.com> <8616c9a1-9e2c-4147-bd55-c4c8e8511ce4@proxmox.com> Content-Language: en-US From: Friedrich Weber In-Reply-To: <8616c9a1-9e2c-4147-bd55-c4c8e8511ce4@proxmox.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.071 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pve-devel] [PATCH guest-common v2 1/6] guest helpers: add helper to overrule active tasks of a specific type X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Apr 2024 08:38:39 -0000 On 06/04/2024 10:37, Thomas Lamprecht wrote: >> Still, right now I think the primary motivation for this overruling >> feature is to save GUI users some frustration and/or clicks. In this >> scenario, a user will overrule only their own tasks, which is possible >> with the current check. What do you think about keeping the check as it >> is for now, and making it more permissive once the need arises? > > I think that allowing users that hold the respective Sys.Modify and > VM.PowerMgmt to overrule any tasks from the start wouldn't be to much > "speculative future-proofing" but rather something expected while still > safe. Makes sense. > FWIW, you could also drop the $authuser then and just get it from > the RPCEnv singleton available in all API call-paths and then do > the permission check in the helper directly. > This would IMO be also a bit better w.r.t. conveying why we do it this > way. OK, sounds good! I'll send a v3 then.